"The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry.

"The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing."

Chong says the surge appears to have swapped payloads changing the Dridex trojan for Locky.

Malware shippers have shifted to DOCM format attachments away from Java to bundle up Locky, FireEye figures show, with a huge burst on 11 and 9 August, and a smaller but still large round of phishing on Monday.

A massive spike in Locky phishing. Image: Supplied

Each email has a unique campaign code used to download Locky from a command and control server to victim machines, Chong says.

"These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations." Last month Locky claimed top spot for email-based malware in Q2, overtaking Dridex.